docs: Update git-crypt key management instructions and pre-commit check
This commit is contained in:
parent
f8f950fd7a
commit
4ed7b8edd0
3 changed files with 24 additions and 7 deletions
|
|
@ -16,7 +16,7 @@ gcrypt_export_key() {
|
||||||
mkdir -p "${KEYS_DIR}"
|
mkdir -p "${KEYS_DIR}"
|
||||||
git-crypt export-key "$key_path"
|
git-crypt export-key "$key_path"
|
||||||
success "Symmetric key exported to: $key_path"
|
success "Symmetric key exported to: $key_path"
|
||||||
warn "Action required: Store this key in Vaultwarden and remove it from local disk."
|
warn "Action required: store this key in Vaultwarden and delete it from disk."
|
||||||
}
|
}
|
||||||
|
|
||||||
gcrypt_verify() {
|
gcrypt_verify() {
|
||||||
|
|
@ -162,9 +162,16 @@ gcrypt_print_key_instructions() {
|
||||||
echo " Name: \"${genome_name} key\""
|
echo " Name: \"${genome_name} key\""
|
||||||
echo " Note: <paste the base64 string>"
|
echo " Note: <paste the base64 string>"
|
||||||
echo ""
|
echo ""
|
||||||
echo " 3. For AI Server / Runtime Injection:"
|
echo " 3. Delete from disk:"
|
||||||
echo " export BW_SESSION=\$(bw unlock --raw)"
|
echo " rm ${KEYS_DIR}/${genome_name}.key"
|
||||||
|
echo ""
|
||||||
|
echo " 4. Runtime injection on AI server (no key on disk):"
|
||||||
|
echo " bw config server ${v_url}"
|
||||||
|
echo " export BW_SESSION=\$(bw unlock --passwordenv BW_MASTER_PASSWORD --raw)"
|
||||||
echo " git-crypt unlock <(bw get notes \"${genome_name} key\" --session \"\$BW_SESSION\" | base64 -d)"
|
echo " git-crypt unlock <(bw get notes \"${genome_name} key\" --session \"\$BW_SESSION\" | base64 -d)"
|
||||||
|
echo ""
|
||||||
|
echo " NOTE: use 'bw' (standard Bitwarden CLI), NOT 'bws'."
|
||||||
|
echo " 'bws' is the Secrets Manager CLI and does not work with Vaultwarden."
|
||||||
}
|
}
|
||||||
|
|
||||||
gcrypt_print_runtime_model() {
|
gcrypt_print_runtime_model() {
|
||||||
|
|
@ -181,13 +188,13 @@ gcrypt_print_runtime_model() {
|
||||||
echo " smudge filter. Obsidian reads them as normal Markdown."
|
echo " smudge filter. Obsidian reads them as normal Markdown."
|
||||||
echo ""
|
echo ""
|
||||||
echo " On the AI VM:"
|
echo " On the AI VM:"
|
||||||
echo " Same as laptop when unlocked. Use runtime injection (step 5"
|
echo " Same as laptop when unlocked. Use runtime injection so the"
|
||||||
echo " above) so the key is never written to disk."
|
echo " key is never written to disk."
|
||||||
echo ""
|
echo ""
|
||||||
echo " Limitation:"
|
echo " Limitation:"
|
||||||
echo " Encryption does NOT protect against a full server compromise"
|
echo " Encryption does NOT protect against a full server compromise"
|
||||||
echo " where an attacker has root access to a machine where the repo"
|
echo " where an attacker has root access to an already-unlocked repo."
|
||||||
echo " is already unlocked. Runtime injection mitigates this."
|
echo " Runtime injection mitigates this risk."
|
||||||
echo " ─────────────────────────────────────────────────────────────"
|
echo " ─────────────────────────────────────────────────────────────"
|
||||||
echo ""
|
echo ""
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -38,6 +38,9 @@ current prompt, you MUST operate in `disabled` mode. Never infer or assume the v
|
||||||
- **Never leak private synthesis into public `wiki/concepts/` or `wiki/sources/`.**
|
- **Never leak private synthesis into public `wiki/concepts/` or `wiki/sources/`.**
|
||||||
- Prefix every response that draws on private data with: `[PRIVATE DATA INCLUDED]`
|
- Prefix every response that draws on private data with: `[PRIVATE DATA INCLUDED]`
|
||||||
|
|
||||||
|
### Pre-commit failures:
|
||||||
|
If a commit is rejected by the pre-commit hook with a **"PLAINTEXT LEAK DETECTED"** warning, **DO NOT** attempt to bypass it with `--no-verify`. Stop the session and ask the operator to verify the encryption state and `.gitattributes`.
|
||||||
|
|
||||||
### On the AI server — runtime key injection:
|
### On the AI server — runtime key injection:
|
||||||
The git-crypt key must never be stored as a persistent file on the AI VM.
|
The git-crypt key must never be stored as a persistent file on the AI VM.
|
||||||
```bash
|
```bash
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,13 @@ set -euo pipefail
|
||||||
PRIVATE_PATTERNS=("raw/private/" "wiki/private/")
|
PRIVATE_PATTERNS=("raw/private/" "wiki/private/")
|
||||||
FAILED=0
|
FAILED=0
|
||||||
|
|
||||||
|
# Check on git-crypt
|
||||||
|
if [[ ! -d ".git-crypt" ]]; then
|
||||||
|
echo -e "\n\033[0;31m[CRITICAL] git-crypt is not initialized in this repository.\033[0m"
|
||||||
|
echo "Run 'git-crypt init' and 'make setup' before committing."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# Get staged files (excluding deletions)
|
# Get staged files (excluding deletions)
|
||||||
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
|
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue